2021-11-16 20:26:38 +01:00
|
|
|
# Routeur `linksys` : serveur-mère de l'infrastructure de Libre en Communs
|
|
|
|
|
|
|
|
|
|
|
|
### Matériel
|
|
|
|
|
|
|
|
Linksys WRT3200ACM (ARMv7 Processor rev 1 (v7l))
|
|
|
|
|
|
|
|
### Logiciel
|
|
|
|
|
|
|
|
Système d'exploitation : OpenWrt 21.02.1 / LuCI openwrt-21.02
|
|
|
|
Reverse proxy HTTP(S) : `nginx`
|
|
|
|
Interface graphique : `luci`
|
|
|
|
VPN : `openvpn`
|
|
|
|
Certificats SSL : `acme`
|
|
|
|
|
|
|
|
|
|
|
|
### Caractéristiques notables
|
|
|
|
|
|
|
|
Domaine : routeur.libre-en-communs.org
|
|
|
|
Adresse ipv4 publique : 80.67.179.96
|
|
|
|
Adresse ipv4 locale : 192.169.1.1
|
|
|
|
Adresse ipv6 publique : 2001:910:1360::1
|
|
|
|
|
|
|
|
#### Configuration des interfaces
|
|
|
|
|
|
|
|
##### /etc/config/network
|
|
|
|
|
|
|
|
config interface 'loopback'
|
|
|
|
option device 'lo'
|
|
|
|
option proto 'static'
|
|
|
|
option ipaddr '127.0.0.1'
|
|
|
|
option netmask '255.0.0.0'
|
|
|
|
|
|
|
|
config globals 'globals'
|
|
|
|
option ula_prefix 'fd91:24db:dc7e::/48'
|
|
|
|
|
|
|
|
config device
|
|
|
|
option name 'br-lan'
|
|
|
|
option type 'bridge'
|
|
|
|
list ports 'lan1'
|
|
|
|
list ports 'lan2'
|
|
|
|
list ports 'lan3'
|
|
|
|
list ports 'lan4'
|
|
|
|
|
|
|
|
config interface 'lan'
|
|
|
|
option device 'br-lan'
|
|
|
|
option proto 'static'
|
|
|
|
option ipaddr '192.169.1.1'
|
|
|
|
option ip6assign '64'
|
|
|
|
list ip6class 'wan6'
|
|
|
|
option netmask '255.255.255.0'
|
|
|
|
list dns '80.67.169.12'
|
|
|
|
list dns '80.67.169.40'
|
|
|
|
|
|
|
|
config device
|
|
|
|
option name 'wan'
|
|
|
|
option macaddr 'ea:9f:80:1a:08:80'
|
|
|
|
|
|
|
|
config interface 'wan'
|
|
|
|
option device 'wan'
|
|
|
|
option proto 'dhcp'
|
|
|
|
|
|
|
|
config interface 'wan6'
|
|
|
|
option device 'wan'
|
|
|
|
option proto 'static'
|
|
|
|
option ip6prefix '2001:910:1360::/48'
|
|
|
|
list ip6addr '2001:910:1360:ffff::1'
|
|
|
|
|
|
|
|
### Configuration des certificats SSL
|
|
|
|
#### /etc/config/acme
|
|
|
|
|
|
|
|
config acme
|
|
|
|
option state_dir '/etc/acme'
|
|
|
|
option debug '0'
|
|
|
|
option account_email 'cominfra@a-lec.org'
|
|
|
|
|
|
|
|
config cert 'example_wildcard'
|
|
|
|
option update_nginx '1'
|
|
|
|
option enabled '1'
|
|
|
|
list domains 'routeur.libre-en-communs.org'
|
|
|
|
option update_uhttpd '0'
|
|
|
|
option validation_method 'webroot'
|
|
|
|
option webroot '/www'
|
|
|
|
option keylength 'ec-384'
|
|
|
|
option use_staging '0'
|
|
|
|
|
|
|
|
### Configuration DHCP (IP statiques allouées aux VM et serveurs)
|
|
|
|
|
|
|
|
#### /etc/config/dhcp
|
|
|
|
|
|
|
|
config dnsmasq
|
|
|
|
option domainneeded '1'
|
|
|
|
option localise_queries '1'
|
|
|
|
option rebind_protection '1'
|
|
|
|
option rebind_localhost '1'
|
|
|
|
option local '/lan/'
|
|
|
|
option domain 'lan'
|
|
|
|
option authoritative '1'
|
|
|
|
option readethers '1'
|
|
|
|
option leasefile '/tmp/dhcp.leases'
|
|
|
|
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
|
|
|
|
option localservice '1'
|
|
|
|
option ednspacket_max '1232'
|
|
|
|
option logqueries '1'
|
|
|
|
option boguspriv '0'
|
|
|
|
option allservers '1'
|
|
|
|
|
|
|
|
config dhcp 'lan'
|
|
|
|
option interface 'lan'
|
|
|
|
option start '100'
|
|
|
|
option limit '150'
|
|
|
|
option leasetime '12h'
|
|
|
|
option dhcpv4 'server'
|
|
|
|
option ra 'hybrid'
|
|
|
|
option dhcpv6 'hybrid'
|
|
|
|
option ndp 'hybrid'
|
|
|
|
list ra_flags 'none'
|
|
|
|
|
|
|
|
config dhcp 'wan'
|
|
|
|
option interface 'wan'
|
|
|
|
option ignore '1'
|
|
|
|
|
|
|
|
config odhcpd 'odhcpd'
|
|
|
|
option maindhcp '0'
|
|
|
|
option leasefile '/tmp/hosts/odhcpd'
|
|
|
|
option leasetrigger '/usr/sbin/odhcpd-update'
|
|
|
|
option loglevel '4'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option ip '2001:910:1360::1'
|
|
|
|
option name 'routeur'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'routeur'
|
|
|
|
option ip '192.169.1.1'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'mother.libre-en-communs.org'
|
|
|
|
option ip '192.169.1.108'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'mother'
|
|
|
|
option ip '2001:910:1360::2'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'mother'
|
|
|
|
option ip '192.169.1.108'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'aunt.libre-en-communs.org'
|
|
|
|
option ip '192.169.1.206'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'aunt'
|
|
|
|
option ip '2001:910:1360::3'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'aunt'
|
|
|
|
option ip '192.169.1.206'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'mail'
|
|
|
|
option ip '2001:910:1360::148'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'mail'
|
|
|
|
option ip '192.169.1.201'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'dns'
|
|
|
|
option ip '2001:910:1360::11c'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'dns'
|
|
|
|
option ip '192.169.1.242'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'git.a-lec.org'
|
|
|
|
option ip '192.169.1.108'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'git'
|
|
|
|
option ip '2001:910:1360::42'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'git'
|
|
|
|
option ip '192.169.1.131'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'gestion'
|
|
|
|
option ip '2001:910:1360::1ab'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'gestion'
|
|
|
|
option ip '192.169.1.236'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'www'
|
|
|
|
option ip '2001:910:1360::1ca'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'www'
|
|
|
|
option ip '192.169.1.188'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'xmpp'
|
|
|
|
option ip '2001:910:1360::142'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'xmpp.a-lec.org'
|
|
|
|
option ip '2001:910:1360::142'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'xmpp'
|
|
|
|
option ip '192.169.1.211'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'xmpp.a-lec.org'
|
|
|
|
option ip '192.169.1.211'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'toot'
|
|
|
|
option ip '2001:910:1360::16a'
|
|
|
|
|
|
|
|
config domain
|
|
|
|
option name 'toot'
|
|
|
|
option ip '192.169.1.179'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'mother'
|
|
|
|
option dns '1'
|
|
|
|
option mac '08:60:6E:11:C3:CA'
|
|
|
|
option ip '192.169.1.108'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'aunt'
|
|
|
|
option dns '1'
|
|
|
|
option mac '20:CF:30:67:08:A7'
|
|
|
|
option ip '192.169.1.206'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option mac '52:54:00:C1:D0:69'
|
|
|
|
option ip '192.169.1.242'
|
|
|
|
option name 'dns'
|
|
|
|
option dns '1'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'gestion'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:C8:83:EC'
|
|
|
|
option ip '192.169.1.236'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'git'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:FD:63:1C'
|
|
|
|
option ip '192.169.1.131'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option mac '52:54:00:12:BC:CF'
|
|
|
|
option ip '192.169.1.201'
|
|
|
|
option name 'mail'
|
|
|
|
option dns '1'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'toot'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:E4:2A:97'
|
|
|
|
option ip '192.169.1.179'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option mac '52:54:00:07:F1:3C'
|
|
|
|
option ip '192.169.1.188'
|
|
|
|
option name 'www'
|
|
|
|
option dns '1'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'xmpp'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:0B:A6:ED'
|
|
|
|
option ip '192.169.1.211'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'xmpp.chalec.org'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:FC:74:4C'
|
|
|
|
option ip '192.169.1.204'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'tootest'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:25:18:BB'
|
|
|
|
option ip '192.169.1.232'
|
|
|
|
|
|
|
|
config host
|
|
|
|
option name 'audio'
|
|
|
|
option dns '1'
|
|
|
|
option mac '52:54:00:F1:8B:EC'
|
|
|
|
option ip '192.169.1.186'
|
|
|
|
|
|
|
|
### Configuration du pare-feu (et redirections de ports pour IPV4)
|
|
|
|
|
|
|
|
#### /etc/config/firewall
|
|
|
|
|
|
|
|
config defaults
|
|
|
|
option input 'ACCEPT'
|
|
|
|
option output 'ACCEPT'
|
|
|
|
option synflood_protect '1'
|
|
|
|
option forward 'ACCEPT'
|
|
|
|
|
|
|
|
config zone
|
|
|
|
option name 'lan'
|
|
|
|
list network 'lan'
|
|
|
|
option input 'ACCEPT'
|
|
|
|
option output 'ACCEPT'
|
|
|
|
option forward 'ACCEPT'
|
|
|
|
|
|
|
|
config zone
|
|
|
|
option name 'wan'
|
|
|
|
list network 'wan'
|
|
|
|
list network 'wan6'
|
|
|
|
option output 'ACCEPT'
|
|
|
|
option mtu_fix '1'
|
|
|
|
list device 'tun0'
|
|
|
|
option input 'ACCEPT'
|
|
|
|
option forward 'ACCEPT'
|
|
|
|
option masq '1'
|
|
|
|
|
|
|
|
config forwarding
|
|
|
|
option src 'lan'
|
|
|
|
option dest 'wan'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-DHCP-Renew'
|
|
|
|
option src 'wan'
|
|
|
|
option proto 'udp'
|
|
|
|
option dest_port '68'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
option family 'ipv4'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-Ping'
|
|
|
|
option src 'wan'
|
|
|
|
option proto 'icmp'
|
|
|
|
option icmp_type 'echo-request'
|
|
|
|
option family 'ipv4'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-IGMP'
|
|
|
|
option src 'wan'
|
|
|
|
option proto 'igmp'
|
|
|
|
option family 'ipv4'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-DHCPv6'
|
|
|
|
option src 'wan'
|
|
|
|
option proto 'udp'
|
|
|
|
option src_ip 'fc00::/6'
|
|
|
|
option dest_ip 'fc00::/6'
|
|
|
|
option dest_port '546'
|
|
|
|
option family 'ipv6'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-MLD'
|
|
|
|
option src 'wan'
|
|
|
|
option proto 'icmp'
|
|
|
|
option src_ip 'fe80::/10'
|
|
|
|
list icmp_type '130/0'
|
|
|
|
list icmp_type '131/0'
|
|
|
|
list icmp_type '132/0'
|
|
|
|
list icmp_type '143/0'
|
|
|
|
option family 'ipv6'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-ICMPv6-Input'
|
|
|
|
option src 'wan'
|
|
|
|
option proto 'icmp'
|
|
|
|
list icmp_type 'echo-request'
|
|
|
|
list icmp_type 'echo-reply'
|
|
|
|
list icmp_type 'destination-unreachable'
|
|
|
|
list icmp_type 'packet-too-big'
|
|
|
|
list icmp_type 'time-exceeded'
|
|
|
|
list icmp_type 'bad-header'
|
|
|
|
list icmp_type 'unknown-header-type'
|
|
|
|
list icmp_type 'router-solicitation'
|
|
|
|
list icmp_type 'neighbour-solicitation'
|
|
|
|
list icmp_type 'router-advertisement'
|
|
|
|
list icmp_type 'neighbour-advertisement'
|
|
|
|
option limit '1000/sec'
|
|
|
|
option family 'ipv6'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-ICMPv6-Forward'
|
|
|
|
option src 'wan'
|
|
|
|
option dest '*'
|
|
|
|
option proto 'icmp'
|
|
|
|
list icmp_type 'echo-request'
|
|
|
|
list icmp_type 'echo-reply'
|
|
|
|
list icmp_type 'destination-unreachable'
|
|
|
|
list icmp_type 'packet-too-big'
|
|
|
|
list icmp_type 'time-exceeded'
|
|
|
|
list icmp_type 'bad-header'
|
|
|
|
list icmp_type 'unknown-header-type'
|
|
|
|
option limit '1000/sec'
|
|
|
|
option family 'ipv6'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-IPSec-ESP'
|
|
|
|
option src 'wan'
|
|
|
|
option dest 'lan'
|
|
|
|
option proto 'esp'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Allow-ISAKMP'
|
|
|
|
option src 'wan'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '500'
|
|
|
|
option proto 'udp'
|
|
|
|
option target 'ACCEPT'
|
|
|
|
|
|
|
|
config rule
|
|
|
|
option name 'Support-UDP-Traceroute'
|
|
|
|
option src 'wan'
|
|
|
|
option dest_port '33434:33689'
|
|
|
|
option proto 'udp'
|
|
|
|
option family 'ipv4'
|
|
|
|
option target 'REJECT'
|
|
|
|
option enabled 'false'
|
|
|
|
|
|
|
|
config include
|
|
|
|
option path '/etc/firewall.user'
|
|
|
|
|
|
|
|
config forwarding
|
|
|
|
option src 'wan'
|
|
|
|
option dest 'lan'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'ssh 222 -> mother'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '222'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_ip '192.169.1.108'
|
|
|
|
option dest_port '222'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'ssh 223 -> aunt'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '223'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_ip '192.169.1.206'
|
|
|
|
option dest_port '223'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'dns 53 -> dns'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '53'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '53'
|
|
|
|
option dest_ip '192.169.1.242'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '25'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '25'
|
|
|
|
option name 'smtp -> mail'
|
|
|
|
option dest_ip '192.169.1.201'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '587'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '587'
|
|
|
|
option name 'smtps -> mail'
|
|
|
|
option dest_ip '192.169.1.201'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '993'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '993'
|
|
|
|
option name 'imaps -> mail'
|
|
|
|
option dest_ip '192.169.1.201'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'ssh 666 -> mail'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '666'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '22'
|
|
|
|
option dest_ip '192.169.1.201'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'ssh 22 -> git'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '22'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '22'
|
|
|
|
option dest_ip '192.169.1.131'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'ssh 777 -> www'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '777'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '22'
|
|
|
|
option dest_ip '192.169.1.188'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'xmpp c2s'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '5222'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '5222'
|
|
|
|
option dest_ip '192.169.1.211'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '5223'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '5223'
|
|
|
|
option name 'xmpp c2s tls'
|
|
|
|
option dest_ip '192.169.1.211'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'xmpp s2s'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '5269'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '5269'
|
|
|
|
option dest_ip '192.169.1.211'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'xmpp https'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '5443'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '5443'
|
|
|
|
option dest_ip '192.169.1.211'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'xmpp http'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '5280'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '5280'
|
|
|
|
option dest_ip '192.169.1.211'
|
|
|
|
|
|
|
|
config redirect
|
|
|
|
option target 'DNAT'
|
|
|
|
option name 'xmpp stun'
|
|
|
|
option src 'wan'
|
|
|
|
option src_dport '3478'
|
|
|
|
option dest 'lan'
|
|
|
|
option dest_port '3478'
|
|
|
|
option dest_ip '192.169.1.211'
|
|
|
|
|
|
|
|
### Configuration Reverse Proxy (nginx)
|
|
|
|
|
|
|
|
Note : IPV4 uniquement
|
|
|
|
|
|
|
|
#### /etc/nginx/uci.conf (fichier principal de configuration)
|
|
|
|
|
|
|
|
worker_processes auto;
|
|
|
|
|
|
|
|
user root;
|
|
|
|
|
|
|
|
events {
|
|
|
|
worker_connections 1024;
|
|
|
|
}
|
|
|
|
|
|
|
|
include reverse_proxy_ssl.conf;
|
|
|
|
|
|
|
|
http {
|
|
|
|
access_log off;
|
|
|
|
log_format openwrt
|
|
|
|
'$request_method $scheme://$host$request_uri => $status'
|
|
|
|
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';
|
|
|
|
|
|
|
|
include mime.types;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
|
|
|
|
|
|
|
client_max_body_size 128M;
|
|
|
|
large_client_header_buffers 2 1k;
|
|
|
|
server_names_hash_bucket_size 64;
|
|
|
|
|
|
|
|
gzip on;
|
|
|
|
gzip_vary on;
|
|
|
|
gzip_proxied any;
|
|
|
|
|
|
|
|
root /www;
|
|
|
|
|
|
|
|
server { #see uci show 'nginx._lan'
|
|
|
|
listen 444 ssl proxy_protocol default_server;
|
|
|
|
listen [::]:444 ssl default_server;
|
|
|
|
server_name routeur.libre-en-communs.org;
|
|
|
|
include conf.d/*.locations;
|
|
|
|
ssl_certificate /etc/acme/routeur.libre-en-communs.org_ecc/fullchain.cer;
|
|
|
|
ssl_certificate_key /etc/acme/routeur.libre-en-communs.org_ecc/routeur.libre-en-communs.org.key;
|
|
|
|
ssl_session_cache shared:SSL:32k;
|
|
|
|
ssl_session_timeout 64m;
|
|
|
|
access_log off; # logd openwrt;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
if ($host = routeur.libre-en-communs.org) {
|
2021-11-16 20:32:27 +01:00
|
|
|
return 302 https://$host$request_uri;
|
2021-11-16 20:26:38 +01:00
|
|
|
}
|
2021-11-16 20:32:27 +01:00
|
|
|
server_name routeur.libre-en-communs.org;
|
2021-11-16 20:26:38 +01:00
|
|
|
listen 80;
|
|
|
|
return 404;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
include reverse_proxy.conf;
|
|
|
|
include conf.d/*.conf;
|
|
|
|
}
|
|
|
|
|
|
|
|
#### /etc/nginx/reverse_proxy.conf (reverse proxy HTTP)
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name gestion.a-lec.org;
|
|
|
|
listen 80;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://gestion:80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name coffre.a-lec.org;
|
|
|
|
listen 80;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://gestion:80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name git.a-lec.org;
|
|
|
|
listen 80;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://git:80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name www.a-lec.org;
|
|
|
|
listen 80;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://www:80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name a-lec.org;
|
|
|
|
listen 80;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://www:80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name toot.a-lec.org;
|
|
|
|
listen 80;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://toot:80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#### /etc/nginx/reverse_proxy_ssl.conf (reverse proxy HTTPS)
|
|
|
|
|
|
|
|
stream {
|
|
|
|
|
|
|
|
map_hash_max_size 64;
|
|
|
|
map_hash_bucket_size 64;
|
|
|
|
map $ssl_preread_server_name $name_443 {
|
|
|
|
gestion.a-lec.org gestion_a-lec_443;
|
|
|
|
coffre.a-lec.org gestion_a-lec_443;
|
|
|
|
git.a-lec.org git_a-lec_443;
|
|
|
|
www.a-lec.org www_a-lec_443;
|
|
|
|
a-lec.org www_a-lec_443;
|
|
|
|
mail.a-lec.org mail_a-lec_443;
|
|
|
|
toot.a-lec.org toot_a-lec_443;
|
|
|
|
routeur.libre-en-communs.org routeur_444;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream gestion_a-lec_443 {
|
|
|
|
server gestion:443;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream git_a-lec_443 {
|
|
|
|
server git:443;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream mail_a-lec_443 {
|
|
|
|
server mail:443;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream www_a-lec_443 {
|
|
|
|
server www:443;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream toot_a-lec_443 {
|
|
|
|
server toot:443;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream routeur_444 {
|
|
|
|
server 127.0.0.1:444;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 443;
|
|
|
|
proxy_pass $name_443;
|
|
|
|
proxy_protocol on;
|
|
|
|
ssl_preread on;
|
|
|
|
}
|
|
|
|
|
|
|
|
log_format basic '$remote_addr [$time_local] '
|
|
|
|
'$protocol $status $bytes_sent $bytes_received '
|
|
|
|
'$session_time "$upstream_addr" '
|
|
|
|
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
|
|
|
|
|
|
|
|
}
|